Aanval SAS Training from Tactical FLEX, Inc.

Tactical FLEX, Inc. has been shaping the information security world since 2003 and understands how complex not only the threat management tools available but using them can be. Aanval SAS is a solid, robust, and fully-featured SIEM, and not only does understanding its capabilities enhance the user experience, but the user’s security posture and situational awareness also enhances.

Tactical FLEX, Inc. offers on-site and remote training courses for Aanval SAS. Instructor-lead and user-driven sessions optimally occur on the user’s newly installed Aanval SAS console, so that as features and tools are discussed, installed, and configured in detail, users have the opportunity to build and implement their custom IDS system.

Detailed training materials are additionally provided for future reference.

To ensure you’re getting the most out of your Aanval SAS console, those completely new and those long-time users now upgrading to Aanval SAS, contact your sales advisor or the sales or support department directly to schedule your team’s training sessions. We want you to feel not only comfortable but confident in your purchase and ability to tackle network threats with Aanval SAS’ quiver of defensive and offensive tools.

Contact Tactical FLEX, Inc.

The Challenge of Building and Improving on a Network Operations Center (NOC).

“Why Outsourcing to a Capable Managed Service Provider is the Only Cost Efficient Short-Cut”

Organizations spend significantly to set up information security controls for their business infrastructure. Aside from the the evolving threat environment calling for 24/7 monitoring capabilities, organizations are also going to great distances to stay competitive by keeping their systems running 24-hours a day, 365 days a year. As a result, the day-to-day maintenance of computer networks and systems grow ever more complex as well as unmanageable, and organizations have recognized the importance of building an NOC as a central control facility for network management. According to Infosectoday.com, by offering a real-time survey of an organization’s current security status an NOC gives businesses a powerful tool not only for controlling, responding to, and preventing threats impacting their environment, but also for reducing risk, avoiding costly downtime while protecting brand and reputation. In this blog, we will explore the challenges of building an NOC and improving on an existing NOC when organizations are cutting infrastructure costs to save funding. The biggest drawback in building a 24/7 NOC are cost factors, as it requires a substantial financial investment to build, manage, and maintain. Not all organizations have the resources, time, expertise, or financial backing to build and staff a dedicated NOC. Depending on the size of your infrastructure, this could cost organizations anywhere from tens of thousands to hundreds of thousands of dollars to set up and maintain an around-the-clock managed solution.

Here are some important cost factors to consider:

1. Before implementing an NOC, organizations need time to create a comprehensive plan dealing with NOC design: processes, workflows, written policies, threat management procedures, as well as determining a building a location site that is safe and secure. Planning disaster recovery operations is also a requirement involving security executives, IT departments, and upper management. There are many difficult planning and projects involved to make a successful NOC.
2. Purchase of data center technology with expensive hardware, computer servers, and various network equipment.
3. Organizations needs to select network management software, reporting software, and notification software for managing your network. This is where an investment in a SIEM tool to collect, store, and analyze an enormous amount of log data makes an impact.
4. Organizations would need to staff highly skilled IT analysts that understand the latest development of threats, technological developments, and be able to monitor and manage a 24/7 NOC. Since NOC is operational around-the-clock, staffing is frequently one of the most challenging aspects of building an NOC.
5. Experts such System/Network Administrators would be staffed to keep the network running and modify intrusion detection activities, rules, and managing a development lab. Forensic Experts would also be needed to provide more in-depth analyses.

How can Organizations Build or Upgrade a Successful NOC with Little or No Budget? The Only Short Cut is to Outsource and Work with a Qualified Managed Service Provider.

According to Security Magazine, the business of running an NOC is a difficult one. Who has the time to retain the right people, build comprehensive processes and procedures, and implement a robust Security Event and Information Management (SIEM) infrastructure? Those tasks require time, expertise, and experience. Is there a shortcut? Yes, there is. The only shortcut in establishing a capable NOC is to outsource the monitoring and management to a qualified managed service provider such as Tactical FLEX, Inc. Outsourcing will allow organizations to lower its IT management and infrastructure costs as well as focus on its core business.

Are planning to have an NOC up and running in two months but don’t necessarily care about it running five years from now? It’s important to note that the increasing pace of technology development and the increasing value of new security technology means that NOC design must consider both current and future technology; otherwise, it would cost a lot of time and resources to improve an existing NOC facility.

According to Securityinfowatch.com, if organizations are considering upgrading their NOCs, there are many factors involved including:

1. Primary and Alternate Location
2. Range of Functions
3. Scope of Local, Regional, or Global Monitoring
4. Personnel Size and Equipment
5. Current and Future Technology

In addition, security experts believe that without a properly deployed, current-technology NOC, it is likely that organizations are spending more money than necessary and is getting less security than it should.

Learn how our NSOC can effectively manage your security needs. View our Sept. 2012 Newsletter.

Visit the NSOC at Tactical FLEX, Inc. http://www.aanval.com/nsoc.

Suricata vs Snort Overview. Need an IDS? Give Both Suricata and Snort a Try. Here’s Why.

“Why run Snort over Suricata or vice-versa? New trend is both systems in the same environment and event correlation done with Aanval SAS”

There are several intrusion detection system packages available to automate and simplify the process of intrusion detection, and Snort is one of the best options. Snort has become the single most widely deployed and trusted intrusion prevention and detection technology in the world. SC Magazine stated that the success of Snort IDS is due to the fact that users in the open source security community worldwide can detect and respond to bugs, worms, malware attacks, and other security threats faster and more efficiently than other IDS engines. Furthermore, there are a wide variety of reference guides available for installing, configuring, deploying, and managing Snort IDS sensors and rule-based signatures on a network.

To summarize, Snort, an IDS engine, delivers many benefits:

1. Scalability: Snort can be successfully deployed on any network environment.
2. Flexibility and Usability: Snort can run on various operating systems including Linux, Windows, and Mac OS X.
3. Live and Real-Time: Snort can deliver real-time network traffic event information.
4. Flexibility in Deployment: There are thousands of ways that Snort can be deployed and a myriad of databases, logging systems, and tools with which it can work.
5. Speed in Detecting and Responding to Security Threats: Used in conjunction with a firewall and other layers of security infrastructure, Snort helps organizations detect and respond to system crackers, worms, network vulnerabilities, security threats, and policy abusers that aim to take down network and computer systems.
6. Modular Detection Engine: Snort sensors are modular and can monitor multiple machines from one physical and logical location. Snort be placed in front of the firewall, behind the firewall, next to the firewall, and everywhere else to monitor an entire network. As a result, organizations use Snort as a security solution to find out if there are unauthorized attempts to hack in the network or if a hacker has gained unauthorized access into the network system.

Why is Snort so Successful in Monitoring Network Systems?

Snort uses a rule-driven language that combines the benefits of signature, protocol, and anomaly-based inspection methods. With its dramatic speed, power, and performance, Snort quickly gained momentum. With nearly 4 million downloads to date, Snort has become the single most widely deployed intrusion detection and prevention technology in the world. Snort uses a flexible rule-based language to describe traffic that it should collect or pass. Snort’s job is to listen to TCP/IP network traffic and look for signatures in the data flow that might indicate a security threat to an organization’s network and computer systems. Rules are configured to take action. That action varies between passive responses (just logging it or sending an email) to active responses (doing something to stop the malicious activity from happening). Organizations can take advantage of applying new or existing rule-sets provided by the Snort community as well as writing and modifying their own rules according to the requirements of the network. Complex rules can be written to identify just about any type of traffic going across the network and perform some action. Snort rules are continually being reviewed, modified, and improved to detect new and evolving security threats by the support of the Snort community.

Suricata IDS Engine Delivers Many Benefits in Combatting Today’s Security Threats

Suricata is an open source-based intrusion detection system and is the result of more than four years of development led by the Open Information Security Foundation (OISF) and a number of developers organized to help build the next generation open-source IDS engine. The goal of OISF is to bring in new security ideas and technology innovations to the intrusion detection industry. The non-profit organization accepts contributions from both government and private sector, and initial funding comes from government sources as the firm’s main mission is to protect government records from foreign and domestic adversaries. With financial help from the U.S. Department of Homeland Security, a multi-threaded alternative to Snort was created to help secure networks against advanced security intrusions. Suricata’s multi-threaded architecture is unique as it can support high performance multi-core and multi-processor systems. The major benefits of a multi-threaded design is that it offers increased speed and efficiency in network traffic analysis and can also help divide up the IDS/IPS workload based on where the processing needs are. In addition to hardware acceleration (with hardware and network card limitations), the engine is built to utilize the increased processing power offered by the latest multi-core CPU chip sets.

Suricata overall has been developed for ease of implementation, accompanied by a step-by-step getting started documentation and user manual. The engine is also written in C and designed to scale. Although Suricata is still a new and less widespread product compared to Snort, the technology is gaining momentum among all enterprises and IT users. Increased performance, native IPv6 support, multiple model statistical anomaly detection, GPU acceleration, IP reputation, scoring thresholds, very high speed regex, and scalability are some of the major selling points for Suricata.

To summarize, Suricata, an IDS engine, delivers many benefits in combatting today’s security threats:

1. An Open Source Engine: The power of the community works well within IT security defenses, as a community is more effective than a single organization at capturing characteristics of emerging threats.
2. Multi-threaded: A multi-threaded architecture allows the engine to take advantage of the multiple core and multiprocessor architectures of today’s systems.
3. Supports IP Reputation: By incorporating reputation and signatures into its engine, Suricata can flag traffic from known bad sources.
4. Automated Protocol Detection: Preprocessors automatically identify the protocol used in a network stream and apply the appropriate rules, regardless of numerical port. The automated protocol detection also prevents user mistakes and errors which are actually more common.

Why is Suricata so Successful in Monitoring Sophisticated Types of Attacks?

Suricata is also a rule-based ID/PS engine that utilizes externally developed rule sets to monitor network traffic and provide alerts to the system administrator when suspicious events occur. Suricata also uses a “sniffer” engine to analyze traffic entering and leaving a network system. However, the multi-threading capabilities allow the sniffer to match more traffic rules quickly and apply more computing horsepower to the security process.

Designed to be compatible with existing network security components, Suricata features Unified2 output functionality and pluggable library options to accept calls from other applications. In addition, Suricata is also designed to work with the Snort rulesets. Furthermore, Suricata also integrates revolutionary techniques. The engine embeds a HTTP normalizer and parser (HTP library) that provides very advanced processing of HTTP streams, enabling the understanding of traffic on the 7th level of the OSI model.

Community Support from Tactical FLEX, Inc.

We support over 6,000 customers in more than 100 countries by delivering real-time, continuous network monitoring and by providing a wide range of product manuals, information security articles, and up-to-date how-to guides. Built with a unique Situational Awareness engine, users rely on Aanval because it provides a proactive tool to combat cyber threats and safeguard their virtual and physical assets.

Aanval continues to support both the information security and open source Snort and Suricata communities by providing users with a free non-commercial version of Aanval® that allows full functionality of a single-sensor device. Aanval is designed to work with all versions of Snort and Suricata, and can process syslog data from any device capable of external logging (file or UDP 514).

Aanval is available for download as a free Community edition, in addition to an unlimited sensor-capacity, commercially purchased and supported Snort, Suricata, and syslog license. Downloading and installing Aanval is free and takes only minutes to accomplish. Designed to work with all current Linux, Unix, and Mac OS X flavors of operating systems, you can be up, running, and viewing events within minutes. Let Aanval turn your data into actionable and comprehensive insights to reduce security risks. Download Aanval SAS and take it for a test drive to see what real-time security intelligence can do for you at http://www.aanval.com/download

Aanval® is the industry’s most comprehensive end-to-end SIEM-based Snort and Suricata IDS solution, built with a unique Situational Awareness engine, distinct false-positive protection technology, and a fully integrated event management and attack data correlation engine. Learn more at http://www.aanval.com.

Explore the concept of a SIEM-Based Intrusion Detection System and learn the advantages of using Snort and Suricata IDS in a Security Information Event Management (SIEM) by viewing our article here.

We invite you to download and experience Suricata by visiting the OISF (The Open Information Security Foundation) page here

The most current version of Snort can be downloaded here.

Nmap 6.25 is available for download and plays wonderfully with Aanval SAS

The good developers at Nmap.org recently released Nmap 6.25. It sports performance improvements, better OS/version detection, and more. I downloaded and installed it, and then performed a scan and compared the new results to an old scan on the same IP. I was very pleased with the results: quick and much more accurate, particularly in regards to the mentioned OS detection. 

My first scan with 6.01 returned that the device (a Mac mini) was an iOS device running 5.0.1. The new scan with 6.25, however, accurately revealed the following: Apple Mac OS X 10.8 – 10.8.1 (Mountain Lion). Awesome!

If you’re currently using Nmap with Aanval, get the upgrade from nmap.org. If you’re using Nmap without Aanval or vise versa, you’re missing a fantastic partnership, one that can heavily enhance your situational awareness. Aanval can manually and routinely and automatically perform these searches on your networks, to find new Rogue Hosts and return Offensive Reconnaissance of those who might be seeking your harm or downfall.

Click here for more information

Take Aanval for a test drive yourself and then browse our helpful guide to get it configured with Nmap